Don’t look now, but HIPAA has some regulatory teeth. On second thought, please do review the following to make sure you’re in compliance and not asking for sanctions.
As you may recall, April 21, 2005, was the go-live date for implementing the Health Insurance Portability and Accountability Act (HIPAA) for most providers. Included in the regulation is the requirement that each covered entity monitor its compliance with the Act. The new Enforcement Rule gives the Office for Civil Rights the authority to investigate complaints and to require corrective action and levy penalties. The bottom line to remember is that HIPAA compliance is not a onetime event.
But first a disclaimer: This article is not intended to be legal advice, but rather the author's interpretation and understanding of the current HIPAA Security and Enforcement Rules. Facilities should always review compliance issues with competent legal counsel. (Also, see “A Road Map to HIPAA Compliance,” May 2004, p. 65, for additional background and a glossary.)
Who Is Responsible?
HIPAA places the responsibility for compliance on the covered entity, not the individual worker. It is the organization's responsibility to safeguard electronic protected health information (EPHI). Administrators can delegate the authority to conduct HIPAA compliance assessment, monitoring, and corrective actions, but cannot delegate the responsibility of achieving compliance.
Two major changes to the HIPAA regulatory environment occurred last year: The Centers for Medicare & Medicaid Services (CMS) issued the HIPAA Administrative Simplification: Enforcement Final Rule (February 16, 2006, 45 FR 8390), and the HIPAA Security Guidance for Remote Use of and Access to Electronic Health Information (December 28, 2006). HIPAA now has regulatory “teeth” as well as guidance capabilities regarding off-site access to your facility's EPHI. Your organization's compliance plan must now account for these requirements, building on its past plans. Nothing has been removed from the HIPAA requirements—if anything, because of recent high-profile losses of federal data, scrutiny has increased.
Approaches to Compliance Review
An annual focused review of the organization's HIPAA compliance is an appropriate measure to improve compliance and to show good-faith effort. In addition, whenever new software or hardware is put into service, a risk assessment of the affected processes and systems is needed.
The scope and complexity (and cost) of compliance monitoring is expected to vary according to the covered entity's size and complexity. However, all providers must show good-faith efforts to comply with HIPAA standards.
Four elements are needed to monitor HIPAA compliance:
Designated person. This may be the administrator, deputy, health information specialist, privacy officer, or other person who reports to the administrator. This position will require dedicated time that must be budgeted for.
Knowledge of the HIPAA requirements. The Department of Health and Human Services (HHS) and CMS have produced extensive educational materials to assist providers. Nursing homes, home care providers, health information professionals, and trade associations have developed checklists and training offerings for members. Private training firms may also offer training. Appropriate budget must be dedicated to ensure that the responsible people have the information to do their job. The HHS and CMS materials are free, as are many of the association and state offerings.
A plan. CMS has developed a HIPAA Security Rule “Basics of Risk Analysis and Risk Management” that forms the outline of an initial plan. However, each covered entity must adapt a plan to its own unique circumstances. The plan developed for implementation a year ago may just need to be reviewed and updated. Or it may be better to simply start over.
Action. The plan must be carried out and documented, and corrective actions implemented and enforced.
It may also be useful to have an outside review of HIPAA security compliance. This can be by arrangement with sister covered entities; i.e., one nursing home compliance officer reviewing the practices of another home, with reciprocity. Of course, private consultants are available from various sources.
Considerations for Post-Acute and Long-Term Care
The Security Standards were written to apply to the whole continuum of healthcare entities that create, maintain, or transmit EPHI. Nursing homes and home care agencies are in the continuum but have needs that are different from those of hospitals and ambulatory care settings.
Most nursing homes and home care agencies get their computer support from third-party vendors. Vendors and systems vary greatly in their ability to comply with HIPAA requirements. Providers must evaluate systems concerning their own compliance, demand assurances of compliance from outside elements the provider cannot evaluate, and monitor the ongoing use of their systems to ensure that the protections are used by staff and are effective. In short, policies must be developed, trained, and enforced.
New areas of emphasis that must be considered in revising Security compliance plans are:
Remote access.HHS has growing concern about systems that can be accessed remotely. CMS stresses that in situations involving the remote use of and access to EPHI, covered entities must make reasonable efforts to ensure that any such use or access is authorized and limited, as required by the HIPAA Security Rule.